7 Ways GDPR and HIPAA are being confused
I hate to break it to you, but data security compliance is getting harder!
With the European Union’s new General Data Protection Regulations (GDPR) enacted on the 25th of May, many businesses—including healthcare offices—around the Philadelphia metro have been asking about clarification on (1) if GDPR affects them at all, (2) if HIPAA compliance is good enough to comply with GDPR and (3) how to make sure they are keeping data secure to both stay HIPAA and GDPR compliant.
More data security compliance with GDPR and growing HIPAA compliance pressures. What is your business to do? No regulation is quite the same, making data security even more confusing now than ever.
First off, what exactly is GDPR?
With concerns of data exposure and breaches hurting European citizens, on May 25th, the EU decided to enact the General Data Protection Regulation, which to date is the most broad-reaching data protection legislation ever enacted globally.
In brief, GDPR expands personal data breaches to any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or processed.
Instead of focusing on one type of data, GDPR extends protection to “personal data”—which is much broader in scope. Data protected by GDPR legislation applies to all personal data storage and processing, which will likely put companies that leverage individually identifiable information—essentially any information that can single an individual out—will be responsible for keeping data safe (and comply to individual’s requests to remove their information permanently from their databases and datasets.
GDPR also applies to any organization that has control or ownership of data or processes any data for citizens of EU member states regardless of where the organization is based.
This means that even if you are a Philly-based business and are working with individuals with EU citizenship, the European Union will hold you responsible for protecting and curating that data. Yu will need to not only protect this personal data like other personal health information (PHI), but make sure in the event an individual wants their information removed, that it is actually taken out of your systems.
Today, I want to outline the 7 biggest ways GDPR and HIPAA compliance are NOT the same and get you to start reconsidering how you view your office’s data security.
- Data covered under the law—as I alluded to above, the scope of data protected by HIPAA and GDPR differ considerably. While protected health information (PHI) is certainly information protected by GDPR, GDPR legislation expands the definition of data protected.
- Entities involved—HIPAA legislation only impacts covered entities (the folks that take ownership of PHI, such as doctor offices, dentists, physical therapy, insurance companies, and HR departments), and business associates (the folks that service, may have access to PHI and may use PHI as part of their service, such as medical billing, janitorial companies, information technology vendors, and many other businesses with contracts to healthcare-associated businesses). Covered entities are expected to protect their data and should have business associate’s agreements (BAAs) with any business associate that may put their data at risk.
In contrast, GDPR defines responsible parties as controllers (companies that own or possess individual data, such as employers, marketing, social media, healthcare companies, etc.) and processors (companies that manipulate individual data, such as analytics companies, data storage companies, or any organization tasked to process personal information on behalf of a controller).
Bottom line: if your business owns any personal information, you are accountable to that data through GDPR, HIPAA compliance only holds those that possess PHI accountable.
- Breach reporting— HIPAA requires organizations to report breaches of 500 records or more. You have 60 days to report a breach, which gives you much more time to devise a strategy of how to report the breach to put your organization in the best of lights.
If you’ve experienced a data breach through GDPR, on the other hand, you have 72 hours to report your breach once the breach was discovered. You must record any data breach (does not limit to a certain sized breach).
- Use of health data—HIPAA allows PHI to be used for treatment, payment and healthcare operations without patient consent. GDPR requires an individual’s consent prior to data usage for health, social care and public health.
- Data retention—HIPAA requires information be retained for 6 years, with no mention to data removal upon request by an individual.
GDPR underscores that individuals have rights to have their data deleted upon their request.
- Risk assessments—both HIPAA and GDPR require data risk assessments. HIPAA recommends a HIPAA risk assessment be performed annually. GDPR, through the Data Protection Impact Assessment (DPIA) requests that controllers assess data protection and continuity before every data project is initiated. If you plan to record, store, analyze data, or change the scope to amount and types of data stored or intended use of data, you likely should consider a DPIA.
Note: if you have any questions or concerns with your data protection, consider a free network security assessment.
- Necessary prevention—both HIPAA and GDPR require that your business undergo routine information security protections, including administrative, technical and physical data protections.
Again, if you are concerned you are not taking necessary steps to protect your data, consider a FREE network security assessment.
Take Home: Data security and protection is hard. With growing data security concerns and growing regulations to protect personal information, is your business doing its due diligence to keep data secure?
Contact us TODAY for a free network security assessment!